corrective release with the elimination of critical (), which in the default configuration can lead to remote execution of malicious code as root. The problem appears only when TLS support is enabled and is exploited by passing a specially designed client certificate or a modified value to SNI. Vulnerability by Qualys.
Problem in the handler for escaping special characters in the string ( from string.c) and is caused by the character '\' at the end of the string being interpreted before the null character ('\0') and escaping it. When escaping, the sequence '\' followed by the null end-of-line code is treated as a single character and the pointer is shifted to data outside the line, which is treated as its continuation.
The code that calls string_interpret_escape() allocates a buffer for the string based on its actual size, and the set pointer ends up in an area outside the buffer's bounds. Accordingly, when trying to process an input string, a situation occurs when data is read from an area outside the boundaries of the allocated buffer, and an attempt to write an unscreened string can lead to writing outside the buffer.
In the default configuration, the vulnerability can be exploited by passing specially crafted data to SNI when establishing a secure connection to the server. The problem can also be exploited by modifying peerdn values ββin configurations configured for client certificate authentication, or when importing certificates. Attack via SNI and peerdn possible from release , where the string_unprinting() function was used to unprint the peerdn and SNI content.
An exploit prototype has been prepared for the attack via SNI, which works on the i386 and amd64 architectures on Linux systems with Glibc. The exploit uses data overlay on the heap area, resulting in overwriting the memory that stores the name of the log file. The filename is replaced with "/../../../../../../../../etc/passwd". Next, the variable with the sender's address, which is first saved to the log, is overwritten, which allows you to add a new user to the system.
Vulnerability package updates released by distributions , , , ΠΈ . RHEL and CentOS issue , since Exim is not included in their regular package repository (in ΠΎΠ±Π½ΠΎΠ²Π»Π΅Π½ΠΈΠ΅ but for now to the public repository). In the Exim code, the problem is fixed by a one-line , which disables the escape action of the backslash if it is at the end of a line.
As a workaround to block the vulnerability, you can disable TLS support or add to
ACL section "acl_smtp_mail":
deny condition = ${if eq{\\}{${substr{-1}{1}{$tls_in_sni))))
deny condition = ${if eq{\\}{${substr{-1}{1}{$tls_in_peerdn))))
Source: opennet.ru